Installing and Configuring SAP NetWeaver Identity Management

Installing and Configuring SAP NetWeaver Identity ManagementUser Interface for HTML5PDF download from SAP Help Portal:http://help.sap.com/saphelp_nwidmic_72/helpdata/en/f2/14244e0fe24ba3a230f2613c477999/frameset.htm

Created on August 25, 2014

The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP Help Portal.

NoteThis PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.

2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SEand its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided bySAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not beliable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the expresswarranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and otherSAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Table of content

PUBLIC 2014 SAP SE or an SAP affiliate company. All rights reserved.

Page 1 of 8

Table of content1 Installing and Configuring SAP NetWeaver Identity Management User Interface for HTML51.1 Introduction1.1.1 SAP UI Development Toolkit for HTML5 (SAPUI5)1.1.2 SAP NetWeaver Identity Management REST Interface Version 21.1.3 Prerequisites1.1.4 Installation and Configuration Process1.1.5 Limitations and Considerations1.2 Authorization and Authentication for the Identity Management User Interface for HTML51.2.1 Assigning the Role idm.user1.2.2 Enabling Single Sign-On with Logon Tickets1.3 Adding the Predefined User Interface Tasks and Configuring the Solution1.3.1 Importing the Task Folder1.3.2 Configuring the Solution1.3.2.1 Defining the DESCRIPTION Attribute for the MX_ROLE Entry Type1.3.2.2 Maintaining the Attributes for the My Data Task1.3.2.2.1 Virus Scan Interface1.3.2.3 Maintaining the Attribute MX_BUSINESS_AREA for Entry Type MX_ROLE1.3.2.4 Access Control for the Tasks1.3.2.5 Configuring the AS Java for SSL Use1.4 Deploying the Identity Management User Interface for HTML51.5 Accessing the Identity Management User Interface for HTML51.6 Upgrading the Identity Management User Interface for HTML5


Page 2 of 8

1 Installing and Configuring SAP NetWeaver IdentityManagement User Interface for HTML5This document describes how to install and configure the SAP NetWeaver Identity Management User Interface for HTML5.

1.1 IntroductionSAP NetWeaver Identity Management User Interface for HTML5 is a user interface based on HTML5 and JavaScript, and developed using the SAP UI

Development toolkit for HTML5 (SAPUI5). It also uses SAP NetWeaver Identity Management REST Interface Version 2.SAP NetWeaver Identity Management User Interface for HTML5 can be used by all users to maintain their own profile information and request new roles (self-

service). Authorizations are grouped into business roles, again made available to end-users, who can request assignment of the business roles. SAP NetWeaverIdentity Management User Interface for HTML5 only supports assignment requests for business roles, that is, users cannot request privilege assignments.Managers and administrators can also use SAP NetWeaver Identity Management User Interface for HTML5 for role request approvals. Although privilegeassignment requests from the users are not supported, the My Approvals page supports approving and declining both business role assignments and privilegeassignments for managers and administrators, to support cases in which approval workflows are set up for individual privileges, triggered either by automatedprocesses or other UIs or APIs.

1.1.1 SAP UI Development Toolkit for HTML5 (SAPUI5)The SAP UI Development Toolkit for HTML5 (SAPUI5) is SAP's new enterprise-ready HTML5 rendering library for client-side UI rendering and programming. Itcombines the advantages of being open and flexible as well as being enterprise ready, supporting all SAP Product Standards. While Web Dynpro is best suitedto heavyweight transactional applications for expert usage, SAPUI5 is designed for building lightweight consumer-grade UIs for casual usage. It is aimed atdevelopers at SAP and customers with web development skills (HTML, CSS3, JavaScript). SAPUI5 provides extensible controls and powerful theming but iseasy to consume, based on open standards, and integrates with third-party JavaScript libraries. SAPUI5 applications run on a wide range of devices(smartphone, tablet, and desktop) and on multiple server platforms.

Related InformationUI Development Toolkit for HTML5 Developer Center (SAP Developer Center)A Vocabulary and Associated APIs for HTML and XHTML (W3C Editor's Draft)

1.1.2 SAP NetWeaver Identity Management REST InterfaceVersion 2The SAP NetWeaver Identity Management REST Interface offers a remote interface to SAP NetWeaver Identity Management and its data, that is, it allows you touse custom user interfaces (UIs) that access the SAP NetWeaver Identity Management data.For more information about the Identity Management REST Interface Version 2, see SAP NetWeaver Identity Management REST Interface Version 2.

Related InformationSAP NetWeaver Identity Management REST Interface Version 2Virus Scan Interface

1.1.3 PrerequisitesBefore you can install and configure the Identity Management User Interface for HTML5 , a set of prerequisites needs to be fulfilled.The following is the list of prerequisites that need to be fulfilled.You should have the following knowledge:

Thorough knowledge about SAP NetWeaver AS Java and its tools.Thorough knowledge about SAP NetWeaver Identity Management , and Identity Center in particular.

The following software is required:SAP NetWeaver 7.3 SP9 Patch 1 and higher, or SAP NetWeaver 7.3 including Enhancement Package 1 (EHP1) SP6 Patch 3 and higher (on whichSAP NetWeaver Identity Management User Interface and SAP NetWeaver Identity Management User Interface for HTML5 are to be deployed).SAP NetWeaver Identity Management Identity Center version 7.2 SP8 or higher, must be correctly installed and licensed.

An Identity Center where at least one dispatcher is configured and running (see SAP NetWeaver Identity Management Identity Center: Initial Configuration).SAP NetWeaver Identity Management User Interface is installed and configured in accordance with SAP NetWeaver Identity Management Identity Center:

Installing and configuring the Identity Management User Interface.SAP NetWeaver Identity Management REST Interface Version 2 is deployed on your AS Java (where the SAP NetWeaver Identity Management UserInterface is deployed) in accordance with SAP NetWeaver Identity Management REST Interface Version 2.SAPUI5 library is required. The required library is available as an AS Java Extension for the SAP NetWeaver version you are using (versions 7.3 SP9Patch 1 and higher, or EHP1 for SAP NetWeaver 7.3 SP6 Patch 3 and higher). Download the library extension from the SAP Software Download Center anddeploy the downloaded SCA file on your AS Java server, using the Software Update Manager (SUM).

NoteTo locate the correct SAPUI5 library, choose the following path on the SAP Software Download Center : Support Packages and Patches A - ZIndex N SAP NETWEAVER Entry by Component AS Java Extensions SAPUI5 CLIENT RT ASJAVA # OS independent .


Page 3 of 8

Related InformationSAP NetWeaver Identity Management Identity Center Installation overviewSAP NetWeaver Identity Management Identity Center Installing and configuring the Identity Management User InterfaceSAP NetWeaver Identity Management Identity Center Initial ConfigurationSAP NetWeaver Identity Management REST Interface Version 2SAP Software Download CenterUsing the Software Update Manager (SUM)

1.1.4 Installation and Configuration ProcessWhen all prerequisites are fulfilled, you can start the installation and configuration of the Identity Management User Interface for HTML5 .The process of installing and configuring the Identity Management User Interface for HTML5 involves completing the following steps:

Authorization and authentication for the REST interface:Assigning the required role and actions in User Management Engine (UME)Enabling single sign-on with logon tickets

Adding the predefined user interface tasks in the Identity Center Management Console and configuring the solutionDeploying the Identity Management User Interface for HTML5 on your AS JavaAccessing the Identity Management User Interface for HTML5

1.1.5 Limitations and Considerations

Modifications of the Identity Management User InterfaceAny modifications of the Identity Management User Interface for HTML5 are not supported.

The imported tasks should not be deleted or replaced by any similar tasks in the configuration, because the task GUIDs are referred directly in the code ofthe user interface.The imported, predefined User Interface tasks should not be modified in any way (including attributes and the access control defined on the tasks).JavaScript files in the deployment package should not be replaced, removed or modified in any way.

Language SettingsYou change the language for the Identity Management User Interface for HTML5 by modifying the language setting for the respective browser. For more informationon how to update the browser language, see the browser documentation.

NoteA limitation of the Microsoft Internet Explorer 9 is that it takes the language configured for the operating system. In such a case, it is recommended that youupdate to Microsoft Internet Explorer 10, which browser does not have such a limitation.

Pictures UploadsThe upload of pictures in any format is not supported by the Microsoft Internet Explorer 9. In such a case, you will receive the following error message: Browserdoes not support getting the file for uploading. Then, you need to upgrade to Microsoft Internet Explorer 10.

Related InformationIdentifying the Language Code / Locale

1.2 Authorization and Authentication for the Identity ManagementUser Interface for HTML5To access the REST API v2, the user requires the UME actions idm_authenticated and idm_authenticated_restapi. To access Identity ManagementUser Interface for HTML5, the user needs the UME action idm_authenticated_ui5 in addition to the actions required for the REST API v2. The roleidm.user contains all three of these UME actions, and you should assign it to the user so that he or she has the appropriate authorization and authentication forthe Identity Management User Interface for HTML5.These actions and the role are provided as part of the software component containing the Identity ManagementUser Interface and the REST service. All other necessary authorizations for a service call are defined by the access control of the related Identity Management UItask.The default configuration of the SAP NetWeaver Identity Management 7.2 REST API forces a logon on all requests using the provided basic authenticationcredentials, which consumes time and leads to a high number of security sessions in the SAP NetWeaver AS Java . Using single sign-on (SSO) with logontickets for the REST API improves the performance.

1.2.1 Assigning the Role idm.user

ContextMake sure that all users that will use the Identity Management User Interface for HTML5 are assigned the role idm.user (this assigns the neccessary UME


Page 4 of 8

actions idm_authenticated, idm_authenticated_restapi and idm_authenticated_ui5 to the user).To assign the role to the users, proceed as follows:

Procedure1. In the UME (http(s)://:/useradmin), search for the role idm.user.2. Assign the role to all users that you want to be able to access the Identity Management User Interface for HTML5 .

Related InformationAdministration of Users and Roles in User Management Engine (UME) for SAP NetWeaver 7.3Administration of Users and Roles in User Management Engine (UME) for SAP NetWeaver 7.3 EHP1

1.2.2 Enabling Single Sign-On with Logon TicketsTo improve performance, make sure that single sign-on with logon tickets is enabled for the REST service, as described in SAP NetWeaver Identity ManagementREST Interface Version 2 (see topic Configuring Single Sign-On With Logon Tickets in the REST Interface for AS Java 7.1 and higher).

Related InformationSAP NetWeaver Identity Management REST Interface Version 2

1.3 Adding the Predefined User Interface Tasks and Configuringthe SolutionYou can manage information displayed in the Identity Management User Interface for HTML5 and the access restrictions for this information through UserInterface tasks in the Identity Center Management Console. You need to import predefined User Interface tasks into the Identity Center Management Console. Youshould not change the User Interface, and therefore should not delete, replace, or modify the imported, predefined User Interface tasks in any way.Some configuration is required for the solution.

1.3.1 Importing the Task Folder

ContextThe file UI tasks for HTML5.mcc contains a folder with the predefined User Interface tasks. To import the folder, proceed as follows:

Procedure1. In the Identity Center Management Console, select the identity store node in the console tree (by default, Enterprise People ) and choose Import from the

context menu.2. Navigate to the directory /Templates/Identity Center/UI for HTML5 and select the file UI

tasks for HTML5.mcc.3. Choose Open . The SAP NetWeaver Identity Management Configuration Copy Tool dialog box appears.4. Select the option Link tasks into display- and event properties on entry types and attributes and make sure that Import is selected.5. Select the Advanced tab and make sure that a dispatcher is selected for the imported tasks.6. Choose Next > and then Import .7. When the import is completed, choose Finish . Alternatively, to view the details about the completed import, choose View logfile before choosing Finish .

ResultsThe imported folder with all the User Interface tasks is added to the Identity Center identity store (you may have to refresh the console tree before it is visible):

The imported folder contains the following User Interface tasks:

Name of the UI task DescriptionDisplay Identity Displays the details of an identity entry. For future use.My Data Retrieves and updates the user data (for example,. user picture, name (first, last and

middle name(s)), title, language, and so on). Associated with the My Data page(overview data) and the Change My Data page (accessed from the My Data page bychoosing the Change My Data button) in the Identity Management User Interface for


Page 5 of 8

HTML5 .My Roles Retrieves and updates details about the assigned roles and requested new roles.

Associated with the My Roles page and the My Requests page in the IdentityManagement User Interface for HTML5 .

Display Role Displays detailed information of a role (for example, role description). Associated with thepages My Requests and My Roles in the Identity Management User Interface forHTML5 .

Display Company Address Displays detailed information for company address (information like company name,location, phone number, and so on). Associated with the Workplace Data section of theMy Data page in the Identity Management User Interface for HTML5 .

My Security Questions Retrieves the currently-available security questions and updates the answers to thesequestions. Associated with the My Security Questions section of the My Data pageand the Change My Security Question page (accessed from the My Data page, underthe My Security Questions section) in the Identity Management User Interface forHTML5 .

Business Area (Allowed Values) Retrieves the list of defined business areas, which can be used to search for roles thatare relevant for a specific business area. Associated with the My Requests page in theIdentity Management User Interface for HTML5 .

Do not delete, replace, or modify the imported, predefined User Interface tasks in any way.

NoteThe imported tasks cannot be deleted or replaced by any similar tasks in the configuration, because the task GUIDs are referred to directly in the code of theuser interface.

NoteDo not modify the imported tasks to include new attributes.

NoteDo not modify access control for the predefined tasks.

1.3.2 Configuring the SolutionTo use the predefined User Interface tasks for Identity Management User Interface for HTML5 , you need to configure or maintain the following:

In the List column of the Attributes tab of the MX_ROLE entry type, select the DESCRIPTION attribute.Maintain the values of the attributes MX_SALUTATION, MX_TITLE_SUPPLEMENT, and MXREF_MX_COMPANY_ADDRESS for the My Data task.Maintain the values for the attribute MX_BUSINESS_AREA for the entry type MX_ROLE.View the access control defined for the User Interface tasks.Activate HTTPS (the use of SSL) on your AS Java.

1.3.2.1 Defining the DESCRIPTION Attribute for the MX_ROLEEntry Type

ContextFor the entry type MX_ROLE, you need to select the attribute DESCRIPTION in the List column of the entry type's Attributes tab. This is important for thedescription information displayed on the My Requests page in the Identity Management User Interface for HTML5.

Procedure1. Select and open the entry type MX_ROLE in the console tree of the Identity Center Management Console (under the Entry types node of the identity store

schema) to view the entry type's properties.2. Select the Attributes tab.3. Find the DESCRIPTION attribute and select the List option.4. Choose OK to save and close the dialog box.

1.3.2.2 Maintaining the Attributes for the My Data TaskThe My Data task is responsible for retrieving and updating the user data like user picture, name (first, last, and middle name(s)), title, or language. No actualconfiguration of the User Interface task is necessary, but you need to maintain some attribute values:

MX_SALUTATION: Language-specific, ABAP mapping attribute displaying the title of the user (Mr, Mrs, and so on). Retrieve the input help for the attributeneeds to be from the system (read customizing table (TSAD3, TSAD3T)) or maintain it manually. The value defined for this attribute for the given identityentry also needs to be retrieved from the system, and any changes in the value should be updated in the system.MX_TITLE_SUPPLEMENT: Language-specific, ABAP mapping attribute displaying a title supplement, such as a noble title. Retrieve the input help for theattribute from the system (read customizing table (TSAD5)) or maintain it manually. The value defined for this attribute for the given identity entry also needsto be retrieved from the system, and any changes in the value should be updated in the system.


Page 6 of 8

MXREF_MX_COMPANY_ADDRESS: This entry reference attribute should be retrieved from the system (or maintained manually). The workplace location datadisplayed on the user interface is derived from this value.

The allowed values for attributes MX_SALUTATION and MX_TITLE_SUPPLEMENT, and the valid entries for the entry reference MXREF_MX_COMPANY_ADDRESScan be obtained using the standard "initial load" job templates of the SAP provisioning framework. Check if the necessary data is already available in your identitystore and that it is correct. If not, obtain the data using the "initial load" jobs. You can also use the SAP provisioning framework to read the values/referencesdefined for the identity entries into the identity store and to provision this data to target systems. For more details about the SAP provisioning framework and the"initial load" jobs, see SAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide.

Related InformationSAP NetWeaver Identity Management for SAP System Landscapes: Configuration Guide

1.3.2.2.1 Virus Scan InterfaceThe option to upload user pictures to the Identity Management User Interface for HTML5 could be abused, by utilizing it for virus distribution. Identity ManagementREST Interface 2.0 supports the virus scan interface of the AS Java for write access of the binary attributes in the identity store. For details about how to set up thevirus scan interface and how to configure it for different services, such as the Identity Management REST interface, see the documentation regarding the virusscan interface for your AS Java on SAP Help Portal.To learn more about the details that are specific to using the virus scan interface together with the Identity Management REST interface, see SAP NetWeaverIdentity Management REST Interface Version 2.

Related InformationVirus Scan Interface for SAP NetWeaver 7.3 (SAP Help Portal)Virus Scan Interface for SAP NetWeaver 7.3 EHP1 (SAP Help Portal)SAP NetWeaver Identity Management REST Interface Version 2

1.3.2.3 Maintaining the Attribute MX_BUSINESS_AREA for EntryType MX_ROLEWe recommend that you categorize the roles into business areas, which means maintaining the MX_BUSINESS_AREA attribute of the MX_ROLE entry type.This information is used/displayed by the My Roles task, which retrieves and updates the details about the assigned roles and requested new roles for a user.The My Requests page of the User Interface allows the filtering of roles by business area.

1.3.2.4 Access Control for the TasksDo not modify access control for the predefined tasks.

1.3.2.5 Configuring the AS Java for SSL Use

ContextTo be able to update the answers of the security questions on the Change My Security Questions page in the Identity Management User Interface for HTML5,HTTPS must be activated for your AS Java where the User Interface is installed. There are two ways you can configure the use of SSL - either manually byconfiguring the ICM and the AS Java keystore separately, or by using the SSL configuration tool in SAP NetWeaver Administrator.Proceed as follows:

Procedure1. Follow the steps described in Configuring the Use of SSL on the AS Java.2. Your AS Java is ready to use SSL. You may want to test the SSL connection to the AS Java after performing the configuration.

Related InformationConfiguring the Use of SSL on the AS Java for SAP NetWeaver 7.3Configuring the Use of SSL on the AS Java for EHP 1 for SAP NetWeaver 7.3

1.4 Deploying the Identity Management User Interface for HTML5

ContextTo deploy the Identity Management User Interface for HTML5 , do the following:


Page 7 of 8

Procedure1. Download the SCA file (the Identity Management User Interface for HTML5 ) to be deployed. Navigate to the download area of SAP NetWeaver Identity

Management 7.2 in the SAP Software Download Center (on the SAP Support Portal), and download the SCA file.

NoteTo locate the correct SCA file for the Identity Management User Interface for HTML5 , choose the following path on the SAP Software Download Center:

Support Packages and Patches A - Z Index N SAP NW IDENTITY MANAGEMENT SAP NW IDENTITY MANAGEMENT 7.2 Comprised Software Component Versions NW IDM 7.2 UI FOR HTML5 # OS independent .

NoteMake sure that the SCA file for the Identity Management User Interface for HTML5 has the same SP version as the SAP NetWeaver IdentityManagement (and its user interface) and the SAP NetWeaver Identity Management REST Interface Version 2 . The SCA file name isIDM_UI_HTML5_.sca. For example, for SAP NetWeaver Identity Management 7.2 SP8 (Patch 0),the file name is IDM_UI_HTML508_0.sca.

2. Use the Software Update Manager (SUM) to deploy the Identity Management User Interface for HTML5 (the SCA file) on your SAP NetWeaver AS Javawhere both the Identity Management REST Interface Version 2 and the Identity Management User Interface are deployed.

Related InformationSAP Software Download CenterUsing the Software Update Manager (SUM)

1.5 Accessing the Identity Management User Interface for HTML5

ContextTo access the Identity Management User Interface for HTML5 , proceed as follows:

Procedure1. Enter http(s)://:/idmui5 in your browser.2. Provide the credentials in the logon window and choose Log On .3. You are now logged on to the Identity Management User Interface for HTML5. The My Data page appears.

1.6 Upgrading the Identity Management User Interface for HTML5

ContextTo perform an upgrade of a deployed Identity Management User Interface for HTML5 component, proceed as follows:

NoteThe SCA file for the Identity Management User Interface for HTML5 must be on the same SP level as SAP NetWeaver Identity Management (and its UserInterface) and SAP NetWeaver Identity Management REST Interface Version 2. Upgrading the Identity Management User Interface for HTML5 to a new SPversion requires the upgrading of the other components to the same SP version first.

Procedure1. Update the User Interface task folder and configure the solution as described in Adding the Predefined User Interface Tasks and Configuring the Solution.

When updating the task folder, make sure that you select the Update option instead of Import .2. Update the Identity Management User Interface for HTML5 by deploying the new SCA file as described in Deploying the Identity Management User

Interface for HTML5.

Related InformationAdding the Predefined User Interface Tasks and Configuring the SolutionDeploying the Identity Management User Interface for HTML5


Page 8 of 8

Documents

Installing and Configuring SAP NetWeaver Identity Management